The Wrong Breach Law

Last week, the Senate Judiciary committee passed the "The Personal Data Privacy and Security Act of 2007" (See more in Security Fix, Federal Data Breach Bills Clear Senate Panel:

Much of the debate over the relative strength of the various data-breach notification proposals currently circulating on Capitol Hill centers around the precise trigger for notification. In the Leahy-Specter bill, an organization would be required to disclose a data breach or loss if it posed a "significant" risk of harm to the affected consumers.

Meanwhile, the "Notification of Risk to Personal Data Act of 2007," a bill introduced by Sen. Dianne Feinstein (D-Calif.), would require disclosure only in the event that the breach resulted in a "reasonable risk" of harm, a term of art that groups like Consumers Union say would leave companies more wiggle room in determining when to talk about a consumer data spill. The Identity Theft Prevention Act of 2007, a data breach bill approved by the Senate Commerce Committee last week, also takes this approach. Feinstein's bill was also approved by the committee today.

Leave it to the lawyers to argue over 'significant' versus 'reasonable,' while missing the big picture. These folks are worse than the emacs/xemacs split. The liability of getting your significant/reasonable risk assessment wrong, after you've just made a mistake, seems quite high.

Worse, it will make the data that we can mine from Attrition/Privacy Rights Clearninghouse that much less valid, by adding sampling bias. I covered this in "Disclosure, Discretion and Statistics," and feel it's worth repeating as Congress debates these points.

Dissent points out that US PIRG is saying much the same thing in "Senate breach notification and data protection bills get mixed reactions."